REMARKS 

Claims 1 - 2 are pending in the application. 

Claims 1 and 2 have been rejected under 35 USC §1 02(e) as being 
allegedly anticipated by Muttik et al (US Patent No. 6,907,396). 

Prior to discussing the rejection, a brief summary of the object of the 
invention is provided. The present invention is directed to a method of detecting 
malicious scripts using code insertion technique, in which relevant scripts can 
determine the presence of their own maliciousness without any external help 
upon the execution of the scripts, by inserting script codes capable of performing 
the self-detection before and after the original script. (See paragraph 0013 in 
present application). In stark contrast, Muttik et al. provides a method for 
emulating computer viruses or other malicious software that operates by patching 
additional instructions into an emulator in order to aid in the process of detecting, 
decrypting or disinfecting code containing a computer virus of other malicious 
software, more specifically, by loading emulator extension. In other words, Muttik 
teaches that the emulator extension is to be executed in the "malicious code" 
instead of the original script as in the claimed invention. 

In making the rejection, the Examiner contends that Muttik et al. teaches 
the method of detecting malicious scripts as recited in claims 1 and 2 of the 
present invention. In particular. Examiner contends that Muttik et al teaches the 
step of "inserting a self-detection routine (malicious behavior detection routine) 
call sentence before and after a method call sentence of an original script, as 
recited in the claim. The Examiner relied on column 4, lines 53-63 of Muttik et al 
which states that the "emulator extension 204 can be executed before the 
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suspect code 108 is executed..." and on column 5, lines 1-3 of Muttik et al. '396 
which states that the "emulator extension 204 can be emulated after the suspect 
code 108 is emulated..." to support this rejection. However, inserting the 
emulator extension 204 can be executed before the suspect code 108 is 
executed and emulating the emulator extension 204 after the suspect code 108 
is emulated is not the same as inserting a self-detection routine (malicious 
behavior detection routine) call sentence before and after a method call 
sentence of an original script , as recited in the claim. Therefore, not only does 
Muttik et al. disclose a substantially different method of detecting malicious 
scripts using insertion, but Muttik fails to teach of suggest inserting a self- 
detection routine (malicious behavior detection routine) call sentence before and 
after a method call sentence of an original script , as recited in the claim. 

As is well settled, anticipation requires "identity of invention." 
Glaverbel Societe Anonyme v. Northlake Mktg. & Supply, 33 USPQ2d 1496, 
1498 (Fed. Cir. 1995). Each and every element recited in a claim must be found 
in a single prior art reference and arranged as in the claim. In re Marshall, 198 
USPQ 344, 346 (CCPA 1978); Lindemann Maschinenfabrik GMBH v. American 
Hoist and Derrick Co., 221 USPQ 481, 485 (Fed. Cir. 1984). There must be no 
differences between what is claimed and what is disclosed in the applied 
reference. In re Kalm, 154 USPQ 10, 12 (CCPA 1967); Scripps v. Genentech 
Inc., 18 USPQ2d 1001, 1010 (Fed. Cir. 1991). "Moreover, it is incumbent upon 
the Examiner to identify wherein each and every facet of the claimed invention is 
disclosed in the applied reference." Ex parte Levy, 17 USPQ2d 1461, 1462 
(BPAI 1990). The Examiner is required to point to the disclosure in the reference 
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"by page and line" upon which the claim allegedly reads. Choing v. Roland, 17 
USPQ2d 1541, 1543 (BPAI 1990). "Anticipation of a claimed product cannot be 
predicated on mere conjecture as to the characteristics of a prior art product." Ex 
parte Standish, 10 USPQ2d 1454, 1457 (BPAI 1989). That the claimed product 
"could" result from the process disclosed in the applied reference, is insufficient 
to support a conclusion that it will inherently result, and insufficient to support a 
conclusion that what is claimed in anticipated. Glaxo Inc. v. Novopharm Ltd., 34 
USPQ2d 1565, (Fed. Cir. 1995). 

Accordingly, since Muttik does not teach and the Examiner fails to show 
where in Muttik et al it is taught or suggested that a routine call sentence be 
inserted before and after a method call sentence of an original script in order to 
detect a malicious scripts, as required by the claims. In view of the foregoing, it is 
respectfully requested that the rejection under 35 USC §1 02(e) be reconsidered 
and withdrawn. 

In the Office Action, Claim 1 has also been rejected under 35 U.S.C. § 
102(b) as allegedly being anticipated by Bond et al. (US Patent No. 6,275, 938). 
As with Muttik discussed above, Bond et al. does not specifically teach or 
suggest a method wherein a self-detection routine (equal to Bond's check or sniff 
code) is inserted before and after a method call sentence of an original script as 
required in Claim 1. Instead, the method described in Bond, in particular Step 
423 ''inserts check code into the applet's own code to enforce prohibition against 
disallowed memory references." (See Bond, column 7, lines 17-41). In other 
words, the check code in Bond et al is inserted within the sequence, unlike the 
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claimed invention where the self-detection routine is inserted before and after a 
method call sentence of an original script. 

Moreover, as indicated at page 3 of the present application, inserting self- 
detection routines within the sequence in order to detect malicious behavior 
leads to a high rate of false negatives, a problem that the present invention is 
designed to overcome. 

Accordingly, in view of the forgoing remarks, it is respectfully submitted all 
claims pending herein are in condition for allowance. Please contact the 
undersigned attorney should there be any questions. A petition for an automatic 
one-month extension of time for response under 37 C.F.R. §1.1 36(a) is enclosed 
in triplicate, together with the requisite petition fee and fee for the additional 
claims introduced herein. 

Early favorable action is earnestly solicited. 




Respectfully submitted, 
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